From owner-freebsd-questions Thu Apr 11 19:30:39 2002 Delivered-To: freebsd-questions@freebsd.org Received: from blueyonder.co.uk (pcow035o.blueyonder.co.uk [195.188.53.121]) by hub.freebsd.org (Postfix) with ESMTP id 30C2E37B404 for ; Thu, 11 Apr 2002 19:30:36 -0700 (PDT) Received: from pcow035o.blueyonder.co.uk ([127.0.0.1]) by blueyonder.co.uk with Microsoft SMTPSVC(5.5.1877.757.75); Fri, 12 Apr 2002 03:30:35 +0100 Received: from cream.org (unverified [62.31.80.192]) by pcow035o.blueyonder.co.uk (Content Technologies SMTPRS 4.2.9) with ESMTP id ; Fri, 12 Apr 2002 03:30:35 +0100 Message-ID: <3CB6471D.8010209@cream.org> Date: Fri, 12 Apr 2002 03:31:57 +0100 From: Andrew Boothman User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020312 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Bob Kersten Cc: freebsd-questions@freebsd.org Subject: Re: binding named to my internal network References: <008101c1e167$38284990$2849a8c0@kerstenz6r4278> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Bob Kersten wrote: > Hi, > > I'm running named on my server to allow the users of my internal > network to fill in this server as their DNS server. This server has > two NIC's, one for the external (internet) connection and one for > internal traffic (address 10.0.0.1). My clients have IP 10.0.0.2 and > up. This is working just fine, but I discovered that I can use this > server as my DNS server from my computer at work (outside my internal > network) by entering the IP I got from my ISP and which I have setup > for the first NIC I mentioned above. > > I don't know if this makes the situation clear for you, but I > would like to restrict access to my DNS server from outside and only > allow the internal clients to use the server for their DNS. In general Bob, you need to give careful thought when you install services on a box that is acting as a gateway between an internal network and the Internet. It is important that you don't expose services to the Internet that you didn't intend. Keep ports open on the Internet 'side' as few as possible, ie none if you don't need to offer any. In this case, look inside /etc/namedb/named.conf. Inside the "options {" section, underneath the "directory" line add something that looks like listen-on{10.0.0.1;127.0.0.1;}; This will restrict named to only listening on the IP-addresses that you list. Don't forget to include 127.0.0.1 so that named can still answer requests from the local machine, and don't forget the semi-colon after the last IP-address - it looks wrong but you do need it! :-) Then do a "killall -SIGHUP named" to get named to reload its configuration, and you should be sorted. In future you may also want to consider using ipfw firewall rules to disable certain kinds of incoming traffic if you don't disable it in the configuration of the individual service. Good luck! Andrew. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message